test(invocation): verify arguments versus aggregated policies

2024-11-27 10:20:40 -05:00
parent 1166a68e5c
commit ce1a4b6e32
14 changed files with 200 additions and 61 deletions
--- a/token/delegation/delegationtest/data/TokenCarolDan_InvalidExpired.dagcbor
+++ b/token/delegation/delegationtest/data/TokenCarolDan_InvalidExpired.dagcbor
--- a/token/delegation/delegationtest/data/TokenCarolDan_ValidExamplePolicy.dagcbor
+++ b/token/delegation/delegationtest/data/TokenCarolDan_ValidExamplePolicy.dagcbor
--- a/token/delegation/delegationtest/data/TokenDanErin_InvalidExpired.dagcbor
+++ b/token/delegation/delegationtest/data/TokenDanErin_InvalidExpired.dagcbor
--- a/token/delegation/delegationtest/data/TokenDanErin_ValidExamplePolicy.dagcbor
+++ b/token/delegation/delegationtest/data/TokenDanErin_ValidExamplePolicy.dagcbor
--- a/token/delegation/delegationtest/data/TokenErinFrank_InvalidExpired.dagcbor
+++ b/token/delegation/delegationtest/data/TokenErinFrank_InvalidExpired.dagcbor
--- a/token/delegation/delegationtest/data/TokenErinFrank_ValidExamplePolicy.dagcbor
+++ b/token/delegation/delegationtest/data/TokenErinFrank_ValidExamplePolicy.dagcbor
--- a/token/delegation/delegationtest/generator/generator.go
+++ b/token/delegation/delegationtest/generator/generator.go
@@ -14,6 +14,7 @@ import (
 	"github.com/ucan-wg/go-ucan/did/didtest"
 	"github.com/ucan-wg/go-ucan/pkg/command"
 	"github.com/ucan-wg/go-ucan/pkg/policy"
+	"github.com/ucan-wg/go-ucan/pkg/policy/policytest"
 	"github.com/ucan-wg/go-ucan/token/delegation"
 	"github.com/ucan-wg/go-ucan/token/delegation/delegationtest"
 )
@@ -86,7 +87,7 @@ func (g *generator) chainPersonas(personas []didtest.Persona, acc acc, vari vari
 		privKey: personas[0].PrivKey(),
 		aud:     personas[1].DID(),
 		cmd:     delegationtest.NominalCommand,
-		pol:     policy.Policy{},
+		pol:     policytest.EmptyPolicy,
 		opts: []delegation.Option{
 			delegation.WithSubject(didtest.PersonaAlice.DID()),
 			delegation.WithNonce(constantNonce),
@@ -128,6 +129,9 @@ func (g *generator) chainPersonas(personas []didtest.Persona, acc acc, vari vari
 				}
 				p.opts = append(p.opts, delegation.WithNotBefore(nbf))
 			}},
+			{name: "ValidExamplePolicy", variant: func(p *newDelegationParams) {
+				p.pol = policytest.ExamplePolicy
+			}},
 		}

 		// Start a branch in the recursion for each of the variants
--- a/token/delegation/delegationtest/token_gen.go
+++ b/token/delegation/delegationtest/token_gen.go
@@ -75,17 +75,17 @@ var (
 )

 var (
-	TokenCarolDan_InvalidExpiredCID = gocid.MustParse("bafyreigenypixaxvhzlry5rjnywvjyl4xvzlzxz2ui74uzys7qdhos4bbu")
+	TokenCarolDan_InvalidExpiredCID = gocid.MustParse("bafyreifrbm6bgyqdzhhcubbb7dnhq3aq6udvdbfs7mhqjs3d2ihraelufu")
 	TokenCarolDan_InvalidExpired    = mustGetDelegation(TokenCarolDan_InvalidExpiredCID)
 )

 var (
-	TokenDanErin_InvalidExpiredCID = gocid.MustParse("bafyreifvnfb7zqocpdysedcvjkb4y7tqfuziuqjhbbdoay4zg33pwpbzqi")
+	TokenDanErin_InvalidExpiredCID = gocid.MustParse("bafyreibbh5ujs6udphkl3exffohxsg5mdknoqzjb3gdhmuncg3qnomzemy")
 	TokenDanErin_InvalidExpired    = mustGetDelegation(TokenDanErin_InvalidExpiredCID)
 )

 var (
-	TokenErinFrank_InvalidExpiredCID = gocid.MustParse("bafyreicvydzt3obkqx7krmoi3zu4tlirlksibxfks5jc7vlvjxjamv2764")
+	TokenErinFrank_InvalidExpiredCID = gocid.MustParse("bafyreiggzczmqlybhxljmlfot5t7o4w6fhdv7fme77a466ku73dhxtqzdq")
 	TokenErinFrank_InvalidExpired    = mustGetDelegation(TokenErinFrank_InvalidExpiredCID)
 )

@@ -104,6 +104,21 @@ var (
 	TokenErinFrank_InvalidInactive    = mustGetDelegation(TokenErinFrank_InvalidInactiveCID)
 )

+var (
+	TokenCarolDan_ValidExamplePolicyCID = gocid.MustParse("bafyreibtfrp2njnkjrcuhxd4ebaecmpcql5knek2h2j2fjzu2sij2tv6ei")
+	TokenCarolDan_ValidExamplePolicy    = mustGetDelegation(TokenCarolDan_ValidExamplePolicyCID)
+)
+
+var (
+	TokenDanErin_ValidExamplePolicyCID = gocid.MustParse("bafyreidxfwbkzujpu7ivulkc7b6ff4cpbzrkeklmxqvyhhmkmym5b45e2e")
+	TokenDanErin_ValidExamplePolicy    = mustGetDelegation(TokenDanErin_ValidExamplePolicyCID)
+)
+
+var (
+	TokenErinFrank_ValidExamplePolicyCID = gocid.MustParse("bafyreiatkvtvgakqcrdk6vgrv7tbq5rbeiqct52ep4plcftp2agffjyvp4")
+	TokenErinFrank_ValidExamplePolicy    = mustGetDelegation(TokenErinFrank_ValidExamplePolicyCID)
+)
+
 var ProofAliceBob = []gocid.Cid{
 	TokenAliceBobCID,
 }
@@ -238,3 +253,24 @@ var ProofAliceBobCarolDanErinFrank_InvalidInactive = []gocid.Cid{
 	TokenBobCarolCID,
 	TokenAliceBobCID,
 }
+
+var ProofAliceBobCarolDan_ValidExamplePolicy = []gocid.Cid{
+	TokenCarolDan_ValidExamplePolicyCID,
+	TokenBobCarolCID,
+	TokenAliceBobCID,
+}
+
+var ProofAliceBobCarolDanErin_ValidExamplePolicy = []gocid.Cid{
+	TokenDanErin_ValidExamplePolicyCID,
+	TokenCarolDan_ValidExamplePolicyCID,
+	TokenBobCarolCID,
+	TokenAliceBobCID,
+}
+
+var ProofAliceBobCarolDanErinFrank_ValidExamplePolicy = []gocid.Cid{
+	TokenErinFrank_ValidExamplePolicyCID,
+	TokenDanErin_ValidExamplePolicyCID,
+	TokenCarolDan_ValidExamplePolicyCID,
+	TokenBobCarolCID,
+	TokenAliceBobCID,
+}
--- a/token/invocation/errors.go
+++ b/token/invocation/errors.go
@@ -35,3 +35,7 @@ var (
 	// next delegation or invocation's command.
 	ErrCommandNotCovered = errors.New("allowed command doesn't cover the next delegation or invocation")
 )
+
+// ErrPolicyNotSatisfied is returned when the provided Arguments don't
+// satisfy one or more of the aggregated Policy Statements
+var ErrPolicyNotSatisfied = errors.New("the following UCAN policy is not satisfied")
--- a/token/invocation/invocation_test.go
+++ b/token/invocation/invocation_test.go
@@ -9,6 +9,7 @@ import (
 	"github.com/ucan-wg/go-ucan/did/didtest"
 	"github.com/ucan-wg/go-ucan/pkg/args"
 	"github.com/ucan-wg/go-ucan/pkg/command"
+	"github.com/ucan-wg/go-ucan/pkg/policy/policytest"
 	"github.com/ucan-wg/go-ucan/token/delegation/delegationtest"
 	"github.com/ucan-wg/go-ucan/token/invocation"
 )
@@ -48,6 +49,18 @@ func TestToken_ExecutionAllowed(t *testing.T) {
 		testPasses(t, didtest.PersonaFrank, delegationtest.AttenuatedCommand, emptyArguments, delegationtest.ProofAliceBobCarolDanErinFrank)
 	})

+	t.Run("passes - arguments satisfy empty policy", func(t *testing.T) {
+		t.Parallel()
+
+		testPasses(t, didtest.PersonaFrank, delegationtest.NominalCommand, policytest.ExampleValidArguments, delegationtest.ProofAliceBobCarolDanErinFrank)
+	})
+
+	t.Run("passes - arguments satify example policy", func(t *testing.T) {
+		t.Parallel()
+
+		testPasses(t, didtest.PersonaFrank, delegationtest.NominalCommand, policytest.ExampleValidArguments, delegationtest.ProofAliceBobCarolDanErinFrank_ValidExamplePolicy)
+	})
+
 	t.Run("fails - no proof", func(t *testing.T) {
 		t.Parallel()

@@ -115,12 +128,19 @@ func TestToken_ExecutionAllowed(t *testing.T) {

 		testFails(t, invocation.ErrWrongSub, didtest.PersonaFrank, delegationtest.ExpandedCommand, emptyArguments, delegationtest.ProofAliceBobCarolDanErinFrank_InvalidSubject)
 	})
+
+	t.Run("passes - arguments satify example policy", func(t *testing.T) {
+		t.Parallel()
+
+		testFails(t, invocation.ErrPolicyNotSatisfied, didtest.PersonaFrank, delegationtest.NominalCommand, policytest.ExampleInvalidArguments, delegationtest.ProofAliceBobCarolDanErinFrank_ValidExamplePolicy)
+	})
+
 }

 func test(t *testing.T, persona didtest.Persona, cmd command.Command, args *args.Args, prf []cid.Cid, opts ...invocation.Option) error {
 	t.Helper()

-	// TODO: use the args and add minimal test to check that they are verified against the policy
+	opts = append(opts, invocation.WithArguments(args))

 	tkn, err := invocation.New(persona.DID(), didtest.PersonaAlice.DID(), cmd, prf, opts...)
 	require.NoError(t, err)
--- a/token/invocation/proof.go
+++ b/token/invocation/proof.go
@@ -134,7 +134,7 @@ func (t *Token) verifyArgs(delegations []*delegation.Token, arguments *args.Args

 	ok, statement := policies.Match(argsIpld)
 	if !ok {
-		return fmt.Errorf("the following UCAN policy is not satisfied: %v", statement.String())
+		return fmt.Errorf("%w: %v", ErrPolicyNotSatisfied, statement.String())
 	}

 	return nil